Information Exposure Affecting github.com/prebid/prebid-server/privacy/ccpa package, versions <0.113.0
Attack Complexity
Low
Scope
Changed
Confidentiality
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-GOLANG-GITHUBCOMPREBIDPREBIDSERVERPRIVACYCCPA-1015605
-
published
18 May 2020
-
disclosed
18 May 2020
-
credit
djcsdy
How to fix?
Upgrade github.com/prebid/prebid-server/privacy/ccpa to version 0.113.0 or higher.
Overview
github.com/prebid/prebid-server/privacy/ccpa is an open source implementation of Server-Side Header Bidding.
Affected versions of this package are vulnerable to Information Exposure. Specifically, privacy/ccpa/policy.go and privacy/gdpr/policy.go include code that attempts to generate JSON by concatenating strings. If the us_privacy or consent fields contain the character ", this can produce malformed JSON, or JSON with an unintended structure. An attacker could exploit this bug to trick Prebid Server into mutating an OpenRTB bid request to contain arbitrary data, bypassing validation.